Install setup-experience VPP apps on manually-enrolled iOS/iPadOS devices

[sgress454]

Related issue: Resolves #34042

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

Testing

• Added/updated automated tests
• QA'd all new/changed functionality manually

Tested on iPad and iOS.

Full disclosure, VPP installs on my devices seemed to sometimes (not not always) fail silently the first time I tried them, with no error showing in the setup experience results. This could be due to the vagaries of user-based vpp licensing vs. device-based, which is perhaps not a real-world situation, or something else I'm not following with how VPP license assignments work. I'll continue trying to reproduce it but it's difficult since it only seems to happen once per app at most, and I can't remove the user licenses from a device without wiping it (I don't have any physical devices I can do this on).

[sgress454]

Previously, the logic here was "only enqueue setup experience items if the device reports the AwaitingConfiguration flag, AND it is an ios/ipad device OR it is any device that's not in the middle of a migration. After confirming that only macOS devices can be in the MigrationInProgress state, I expanded and simplified this logic to:

1. If a device reports AwaitingConfiguration and not MigrationInProgress, enqueue setup experience items.
2. Otherwise if it's a non-DEP-enrolled iOS/iPad device AND this is the first time it's checked in (TokenUpdateTally == 1), enqueue setup experience items

This ensures that enqueuing the items (which involves wiping out any existing items in the queue for the device) only happens once.

[JordanMontgomery]

We probably also want to check the enrollment type here. I think we only want to do this if it is a Device enrollment - a User enrollment(Device)(it's a thing in nano) aka a personal or byod device both doesn't currently support VPP when enrolled in fleet and is probably not part of the spec for this

[JordanMontgomery]

Also you can check the type by checking r.Type before you fetch the enrollment if that makes things cleaner. It should be set for all requests

[sgress454]

We probably also want to check the enrollment type here.

This is a separate check from the r.Type == mdm.Device that I'm doing? What other property should I look at?

[JordanMontgomery]

I somehow totally missed that. My bad - your check is totally fine

[codecov]

Codecov Report

❌ Patch coverage is 57.89474% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.24%. Comparing base (d2a21dd) to head (3da2be7).
⚠️ Report is 11 commits behind head on main.

Files with missing lines	Patch %	Lines
server/service/apple_mdm.go	71.42%	2 Missing and 2 partials ⚠️
server/worker/apple_mdm.go	20.00%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #35906      +/-   ##
==========================================
- Coverage   66.25%   66.24%   -0.02%     
==========================================
  Files        2112     2108       -4     
  Lines      179510   179260     -250     
  Branches     7546     7420     -126     
==========================================
- Hits       118937   118748     -189     
+ Misses      49675    49612      -63     
- Partials    10898    10900       +2     

Flag	Coverage Δ
backend	67.90% <57.89%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.